- ABP Framework version: v7.3.3
- UI Type: Angular
- Database System: EF Core (SQL Server)
- **Auth Server Separated (for Angular)
- Exception message and full stack trace:
- Steps to reproduce the issue:
1- Log in to the system 2- Setup Authenticator app from my account 3- Enable two-factor authentication 4-Log out from the system and log in again 5- Select provider authenticator 6- Navigate to (google or Microsoft authenticator ) 7- Enter the authentication code from the app authenticator into the system, wait until it expires, and then press submit.
Actual result: The system allows the user to enter the expired authentication code and then enter it into the system
Expected result: The system should display an error message stating that the code is invalid or expired
Please can you see this video .
4 Answer(s)
-
0
Hi,
As per TOTP algorithm, the expiry time of one time password code is not controlled. So even if you are entering the expired code, it is really not expired. It is just expired in the time slice when the app generated it, but Azure AD B2C will accept it within time tolerance
Please have a look at Microsoft explanation on the same issue with Microsoft Authenticator https://learn.microsoft.com/en-us/answers/questions/1045996/ad-b2c-custom-policy-microsoft-authenticator-totp
Thank you, Anjali
-
0
Hi,
Thank you for the feedback.
Microsoft explanation is related to their own implementation in AD B2C service, which is not related to the authenticator app itself not is related to what ABP Code is actually doing. Each server decides how long will it accepts the OTP token; and in their case it seems to be up to 5min,
Generally speaking It is common but not universal to accept, at a given time,
- the current token,
- the token from the previous window,
- the token for the next window. This is done as a partial mitigation for potential clock skew issues on the client that's generating the TOTP codes (e.g. your phone). In practice this means every code is valid for 1m30s, although sites may customize this (with or without changing the window size, which is typically not done because that parameter must be consistent system-wide).
So the question, what is abp server code does in this regard? for how long it would accepts the token?
Regards, Shorhabel
-
0
Hello
I wonder if you have any feedback on the above
regards, Shorhabel
-
0
hi
abp uses the functionality provided by identity. No changes have been made.
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/mfa?view=aspnetcore-7.0#mfa-totp-time-based-one-time-password-algorithm https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-enable-qrcodes?view=aspnetcore-7.0#totp-client-and-server-time-skew
